[Samba] Samba 4 + Squidguardian
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Oct 20 10:55:17 UTC 2015
On 20/10/15 10:32, L.P.H. van Belle wrote:
>> Well, I will give you this one, on DC you cannot, but on a domain member
>> you can: winbind use default domain = yes
>> However, it is not recommended to use the DC as a fileserver
> Wbinfo -u returns only username on my DC's.
Yes, cannot argue with that, 'wbinfo -u' does only return usernames, but
then again, that is what it is designed to do :-)
>
> Just add this to the DC and it works fine, yes yes, its for a member server, but it works fine for me on my DC's also, and as result, getent, id, wbinfo
> Do return on all my servers the same info.
Are 100% sure about this, see inline comments:
>
> I believe its safe to use it like this.
> sidenote, IF you assign all users/groups UID/GID.
> If not all assigned, the groups on DC give a 3xxxxxx GID or no users shown.
>
Doesn't work like that for me, If I give a user a uidNumber, that is
what is returned on a DC, the same goes for groups and gidNumber. If I
don't use a uidNumber or gidNumber, then I get a 3xxxxxx on a DC (apart
from Administrator, who gets a UID of 0)
> # Use home directory and shell information from AD
> winbind nss info = rfc2307
You need to use 'idmap_ldb:use rfc2307 = yes'
> winbind use default domain = yes
This has never worked for me.
> template shell = /bin/bash
> template homedir = /home/users/%U
Yes these will work and in fact are the only way on a DC to set them.
Rowland
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: dinsdag 20 oktober 2015 11:10
>> Aan: samba
>> Onderwerp: Re: [Samba] Samba 4 + Squidguardian
>>
>> On 20/10/15 09:05, mathias dufresne wrote:
>>> 2015-10-19 18:08 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com
>>> <mailto:rowlandpenny241155 at gmail.com>>:
>>>
>>> On 19/10/15 16:46, mathias dufresne wrote:
>>>
>>> AD from Samba or Microsoft is mainly a database for storing
>>> users (and
>>> associated stuffs). It comes also with stuffs (protocols) to
>>> connect and
>>> retrieve information.
>>>
>>> How the client uses these information is, as always, a choice
>>> from that
>>> specific client.
>>>
>>> Your AD client is your Squid/Squidguard(ian) server. Its job
>>> as AD client
>>> is to get some users information from AD to build system
>>> users. I insist on
>>> the fact system users are forged. Purely.
>>>
>>> What is responsible of that forging process? What you declared
>> in
>>> /etc/nsswitch.conf.
>>> Generally it is winbind, sssd or nlscd.
>>>
>>> Each one of these tools comes with its own set of option,
>>> tweak and
>>> configuration files to define how to forge users from local
>>> system point of
>>> view.
>>>
>>> Each one except for Winbind which forge users as it decide to,
>>> no matter
>>> the desires of local system admin. At least this is how I
>>> understood
>>> winbind behaviour (which has no configuration file for what I
>>> know).
>>>
>>>
>>> Well, apart from idmap.ldb on a DC and the idmap_config lines in
>>> smb.conf on a domain member, there are no configuration files. :-D
>>>
>>>
>>> idmap.ldb -> TDB database version 6, little-endian hash size 10000 bytes
>>> idmap_config lines in smb.conf -> how would you set them to configure
>>> Winbind to not add domain to user?
>> Well, I will give you this one, on DC you cannot, but on a domain member
>> you can: winbind use default domain = yes
>> However, it is not recommended to use the DC as a fileserver
>>
>>> To use gidNumber rather than 100 which seems to reflect
>>> "primaryGroupID: 513",
>> Give the users unique uidNumbers and Domain Users a gidNumber
>>
>>> to set up home directory to unixHomeDirectory or to homeDirectory
>>> rather than /home/<short domain name>/ sAMAccountName?
>> template homedir = /home/%U
>>
>>> Is it possible to use CN or userPrincipalName rather SAMAccountName
>>> when building the system user?
>> No, you have lost me again, what do you mean by 'building the system user'
>>
>>> So it is not configurable.
>> Yes it is, fully on a domain member, partially on a DC
>>
>>>
>>>
>>> Perhaps you are using winbind, in that case winbind is
>>> responsible to add
>>> domain and backslashes when forging your users.
>>>
>>> I don't know at all nlscd but some are using it on that
>>> mailing list. So I
>>> expect it does its job too.
>>>
>>> I tried SSSD for the company I'm working these days and it
>>> comes with lot
>>> of configuration options. I expect it can force addition of AD
>>> domain to
>>> username but it is not the default behaviour.
>>>
>>> On some DC where it uses winbind to forge users:
>>>
>>>
>>> No, sorry, I cannot understand what you mean by forge, in English
>>> this word is used for creating your own banknotes or a thing used
>>> by a blacksmith.
>>>
>>>
>>> In fact a blacksmith forges items using blacksmith tools. He creates
>>> these items. These items can be something else than his own tools. In
>>> fact if a blacksmith was only able to craft its own tools and nothing
>>> else for other peoples, this kind of job would have quickly
>> disappeared...
>>
>> So what you meant was 'create a user', please don't try to get creative
>> with the English language, just say what you mean.
>> As for forge and a blacksmith, the word can mean the place a blacksmith
>> works, the 'action' of the blacksmith doing something i.e. a blacksmith
>> forges horseshoes (technical note: no, this actually done by a farrier)
>> (further note: blacksmiths have virtually disappeared)
>> Have we played enough with *my* language yet?
>>
>>> Anyway you get the point, forging, crafting, building, assembling
>>> elements to obtain something else, they are same concept.
>> Same basic concept, but they all mean totally different things.
>>
>>>
>>>
>>> If you add a Uidnumber to user a user in AD, then it should show
>>> on a DC, even if you are not using winbind.
>>>
>>>
>>> Here you should have meant "if you are using winbind" which is true
>>> for UID and wrong for GID which is not reflecting gidNumber configured
>>> into AD.
>> Ah, that is because you think that giving a user a gidNumber, this
>> becomes the users main GID, it doesn't. The users primary gid number is
>> obtained from what is set in the aptly named 'PrimaryGidNumber'
>> attribute, AD obtains this and then uses whatever gidNumber that groups
>> object contains.
>>
>>
>> Should I speak again about home dir ? Shell ? Gecos ? login attribute ?...
>>
>> No, because I have already dealt with that.
>>
>>> SSSD grant sys admin possibility to chose all that, forging users as
>>> sysadmin wants to (which is most generally what his bosses asked to
>>> him). Winbind can't.
>>> And here the question is "how can the user have username using
>>> <username> syntax rather than <domainname>\<username>. Is it possible
>>> to remove domain part from username when using winbind? With the
>>> idmap_config lines perhaps ? :p
>> Anything that sssd can do, winbind can do, but, as I have admitted, only
>> fully on a domain member.
>>
>>> And more: how system is configured to retrieve users from AD! AD seems
>>> well configured: it works. The question is about how to obtain system
>>> users according to what this user needs and not according to what
>>> winbind thinks it is the right way.
>> As I said, winbind will do what sssd does, in fact winbind is that good,
>> the later versions of sssd implements a lot of the winbind code.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list